PAN-OS 7.0.1 Integration?

‎08-13-201509:25 PM

I was curious if anyone had the CPPM/PAN integration running successfully with PAN-OS 7.0.1. Back in Febuary we had run a POC with a couple of PAN boxes and setting up the trigger updates for session-notify was a breeze. Fast forward to today, and we've finally received our own PAN boxes which we have running in tandem with the POC boxes while we export configs etc. On the CPPM side, I created two additional enforcement profiles (one for each new appliance), assigned them to the appropriate policies, and... nothing.

I've combed over the configs of the old POC vs new PAN boxes and everything is the same except for the version of PAN-OS and user account type. The old POCs are on 6.1.3 and the new boxes are on 7.0.1. The old POCs are being updated via full-blown admin accounts whereas I'm attempting to get the XML API USER-ID role working on the new boxes (per the Aruba & PAN Integretion guide). Just to rule it out, I changed the accounts on the new boxes to full-blown admins and they are still not sending UID info.

I thought that maybe I had gotten my passwords mixed up between CPPM and PAN, but I can take that auth URL, fille in the PAN IP along with appropriate username/password, paste it in a browser, and get a success/API key returned from PAN.

I've got a TAC case open but figured I'd poll the audience here to see if anyone has this working already. If no one has any ideas, I suppose I'll be rolling back to PAN-OS 6.x this weekend and report my findings.

Re: PAN-OS 7.0.1 Integration?

‎08-14-201503:20 AM

Hello,

We recently became aware of an interoperability issue in the PAN OS 7.x and CPPM. Upon a joint investigation between the CPPM & PANW engineers it appears there was a change made in the 7.x code. I've just reached out to see if I can get an update from PAN regarding the release of a patch that will incorporate a fix. Once I have some news I will update this thread.

Best Regards-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.-- Problem Solved? Click "Accept as Solution" in a post.

Re: PAN-OS 7.0.1 Integration?

‎08-14-201509:32 AM

@dannyjump - Appreciate the update. You may want to pass word along to TAC, as the engineer I spoke to yesterday was unaware of any existing issues between CPPM & PAN-OS 7. I will definitely continue to monitor this thread for a patch ETA.

For anyone else having similar issues, I downgraded from PAN-OS 7.0.1 to 6.1.6 and immediately saw the XMLAPI communication with CPPM come back.